It was reported [1],[2] that due to changes in the is_a() function [3],[4] PHP 5.3.7 and 5.3.8 became vulnerable to remote arbitrary code execution when is_a() is used in certain ways. Due to the __autoload() implementation, if a user were able to upload a crafted file, it could be possible to pass the contents of the file as an argument to the __autoload() function which could in turn use that argument as a file to include(). If there was no adequate checking or enforcement of the file to load being, local, this could lead to including a remote script from a remote web site.
An example of a vulnerable __autoload() function could be:
function __autoload($class_name) {
include $class_name . '.php';
}
In the above example, were $class_name to include a remote URL, and if allow_url_fopen was enabled in php.ini, this could result in loading a remote PHP script on the server.
This flaw does not affect PHP versions prior to 5.3.7 were this change was introduced. A fix is in PHP's subversion repository (r317183) [5].
[1] http://www.byte.nl/blog/2011/09/23/security-bug-in-is_a-function-in-php-5-3-7-5-3-8/
[2] https://bugs.php.net/bug.php?id=55475
[3] https://bugs.php.net/bug.php?id=53727
[4] http://svn.php.net/viewvc/?view=revision&amp;revision=312904
[5] http://svn.php.net/viewvc/?view=revision&amp;revision=317183
Statement:
Not vulnerable. This issue did not affect the versions of php as shipped with Red Hat Enterprise Linux 4, 5, or 6.